This module enables you to manage your Drupal file-system from within Drupal itself. The module does not sufficiently validate Ajax calls leading to possibility of a Cross Site Request Forgery CSRF attack. This vulnerability is mitigated by the fact that the attacker must be able to guess your Drupal file-system root path exactly. Further, if your site follows the secure file-system permissions recommendations [3] and the web-server account does not have write access to Drupal root, only files/folders in Drupal's "files" directory are open to manipulation.